|
|
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b1bcb2 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Date: Mon, 18 Jan 2021 15:47:24 +1100
|
|
|
b1bcb2 |
Subject: [PATCH] fs/jfs: Catch infinite recursion
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
It's possible with a fuzzed filesystem for JFS to keep getblk()-ing
|
|
|
b1bcb2 |
the same data over and over again, leading to stack exhaustion.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Check if we'd be calling the function with exactly the same data as
|
|
|
b1bcb2 |
was passed in, and if so abort.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
I'm not sure what the performance impact of this is and am open to
|
|
|
b1bcb2 |
better ideas.
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
b1bcb2 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b1bcb2 |
---
|
|
|
b1bcb2 |
grub-core/fs/jfs.c | 11 ++++++++++-
|
|
|
b1bcb2 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
b1bcb2 |
|
|
|
b1bcb2 |
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
index 6e81f37da6c..20d966abfc0 100644
|
|
|
b1bcb2 |
--- a/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
+++ b/grub-core/fs/jfs.c
|
|
|
b1bcb2 |
@@ -304,7 +304,16 @@ getblk (struct grub_jfs_treehead *treehead,
|
|
|
b1bcb2 |
<< (grub_le_to_cpu16 (data->sblock.log2_blksz)
|
|
|
b1bcb2 |
- GRUB_DISK_SECTOR_BITS), 0,
|
|
|
b1bcb2 |
sizeof (*tree), (char *) tree))
|
|
|
b1bcb2 |
- ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
|
|
|
b1bcb2 |
+ {
|
|
|
b1bcb2 |
+ if (grub_memcmp (&tree->treehead, treehead, sizeof (struct grub_jfs_treehead)) ||
|
|
|
b1bcb2 |
+ grub_memcmp (&tree->extents, extents, 254 * sizeof (struct grub_jfs_tree_extent)))
|
|
|
b1bcb2 |
+ ret = getblk (&tree->treehead, &tree->extents[0], 254, data, blk);
|
|
|
b1bcb2 |
+ else
|
|
|
b1bcb2 |
+ {
|
|
|
b1bcb2 |
+ grub_error (GRUB_ERR_BAD_FS, "jfs: infinite recursion detected");
|
|
|
b1bcb2 |
+ ret = -1;
|
|
|
b1bcb2 |
+ }
|
|
|
b1bcb2 |
+ }
|
|
|
b1bcb2 |
grub_free (tree);
|
|
|
b1bcb2 |
return ret;
|
|
|
b1bcb2 |
}
|